MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951d2b19c9d3a4d611be74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RedLineStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 7 File information Comments

SHA256 hash:	8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951d2b19c9d3a4d611be74
SHA3-384 hash:	a4515bac0f7e13641cffa07abb2864ec400cd6facf1a2cd99c0ec4e495601a29d9ad0d5c4ef08d5bdc262c553675731b
SHA1 hash:	d7f4d77cfa3d6e33a563835f7a7eaac0380f536b
MD5 hash:	ca707010406985ccef916bc51417f166
humanhash:	fillet-lima-friend-oxygen
File name:	8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951.exe
Download:	download sample
Signature	RedLineStealer Create hunting rule
File size:	4'881'200 bytes
First seen:	2022-02-20 23:56:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fddc083fa31a17c938d0a17ec7cd3025 (141 x RedLineStealer, 4 x RaccoonStealer, 1 x Formbook)
ssdeep	98304:ZZgA/8OmjGte3Fl3NUcLKhdJTk3T+14Y9G4Du7pg4eX0onG:ZZd0fjzD3hL2aeGeu24eX0yG
Threatray	1'365 similar samples on MalwareBazaar
TLSH	T1043633A3ABC0EEF0C0016970657AE275F5E051F618E335B5A13E8247EF66296D3EC427
Reporter	abuse_ch
Tags:	exe RedLineStealer

abuse_ch

RedLineStealer C2:
185.68.21.99:10242

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
185.68.21.99:10242	https://threatfox.abuse.ch/ioc/389726/

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ca707010406985ccef916bc51417f166.exe.vir

Verdict:

Malicious activity

Analysis date:

2022-02-21 01:12:41 UTC

Tags:

trojan rat redline stealer

Link:

https://app.any.run/tasks/80c6fdc3-1adf-44ab-abef-810672f04660

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/242824/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Sending an HTTP POST request

DNS request

Sending a custom TCP request

Creating a window

Creating a file in the %temp% directory

Reading critical registry keys

Using the Windows Management Instrumentation requests

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6212d552ac8ad0468b5df920/reports/1337c7a1-0df4-434a-acea-ab1a2b542620/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/144cb690-2010-4b58-80ac-a90bde1b605b

Result

Threat name:

RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942928

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951d2b19c9d3a4d611be74/

Threat name:

ByteCode-MSIL.Ransomware.WannaCry

Status:

Malicious

First seen:

2022-02-20 23:57:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rm6bz4a2yvaibvsataryfinj32z3yn3zwkkr2kyzzhj2jvqrxz2a._file

Verdict:

malicious

RedLineStealer

398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb

RedLineStealer

7e1624df0ec310b2766bd7a9a98f05ef1ed576f0f7e0699aee3ecc35ddb03c12

RedLineStealer

9dc01f9775f0a72650952345f3da7719c550797edc5a249f22171d9e0484516f

RedLineStealer

c57ec94c7fed128887694b07d817af02c2d19aac98d8d1fbd4004a8accee4ee5

RedLineStealer

d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457

RedLineStealer

f1a11f00ce1ff509fa6039cc1ecc147f6f4e83d15d9c27f6a2a97da78c0512ba

RedLineStealer

+ 1'355 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220220-3zk3aschfr/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

6e82d00b1cec01944b8a1c85421fc2e22aa424ec6935f666d99c563e40eed492

MD5 hash:

21d8287b26942a9ea8acdc86135ad852

SHA1 hash:

40d721999bcfa8f79560154a2a9e6ef1ac3ba54e

Link:

https://www.unpac.me/results/e526b416-3ad4-4e25-b94f-73c5f211d7d3/

SH256 hash:

c3756ad4adea619151b14549bb3cdfb1cdd4d3a1560f54c4b8cacdfec9fc3588

MD5 hash:

3c160b6265988b9467faf69e4a7e0b81

SHA1 hash:

03f7682f64bdf75df371f3c91e1946ede189ab7e

Link:

https://www.unpac.me/results/e526b416-3ad4-4e25-b94f-73c5f211d7d3/

SH256 hash:

8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951d2b19c9d3a4d611be74

MD5 hash:

ca707010406985ccef916bc51417f166

SHA1 hash:

d7f4d77cfa3d6e33a563835f7a7eaac0380f536b

Link:

https://www.unpac.me/results/e526b416-3ad4-4e25-b94f-73c5f211d7d3/

Malware family:

RedLine

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8b3c1cf01ac5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8b3c1cf01ac54080d640982382a1a9deb3bc3779b2951d2b19c9d3a4d611be74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	RedLine_a Create hunting rule
Author:	@bartblaze
Description:	Identifies RedLine stealer.

Rule name:	redline_new_bin Create hunting rule
Author:	James_inthe_box
Description:	Redline stealer
Reference:	https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8

Rule name:	redline_stealer Create hunting rule
Author:	jeFF0Falltrades
Description:	This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242824/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample